'Turing test' promises to beat bots

A US security company has come up with a technology it says can block automated programmes responsible for perpetuating nuisances such as spam, fake email registrations and click fraud.

Jeremy Kirk, IDG News Service
June 4, 2009

IDG News Service

Share

Twitter

Facebook

LinkedIn

Google Plus

A US security company has come up with a technology it says can block automated programmes responsible for perpetuating nuisances such as spam, fake email registrations and click fraud.

The software, HumanPresent, essentially ferrets out, for example, whether a human is filling out a web-based form and stopping those actions that appear to come from automated programs, said Sanjay Sehgal, CEO of Pramana.

Next month, Pramana expects to fully launch both a SaaS (software-as-a-service) offering and an appliance that monitor web applications for intrusions by bots, Sehgal said.

Pramana's software can be applied to web-based forms, whether they be email registrations, e-commerce transactions or detecting click fraud related to banner advertising.

Sehgal is cautious about revealing how HumanPresent tells the difference between machines and people for fear that spammers will be able to create bots that act more like humans.

Pramana uses 32 metrics in its analysis to see if a web page has been approached by a bot. Aspects that are analysed include keyboard strokes and mouse clicks and the timing of those actions, Sehgal said.

For example, if a human clicks on a link on a web page and nothing happens, the typical human reaction is to click the link again. Bots won't do that, Sehgal said.

Pramana can also be applied to click fraud scenarios, where bots are programmed to open up a web page hundreds of times in order to click on the banner ads and potentially increase ad rates.

Sehgal was coy on exactly how it works, but a bot interacts with the page and an advertisement different than a human would. If Pramana detects that a bot is clicking on ads, a dummy ad can be substituted instead to avoid having tainted statistics.

For the SaaS offering, Pramana's technology is integrated into a web application. When someone tries to do a log-in, for example, some of that session information is sent back to Pramana for nearly instant analysis. If Pramana detects a bot, the website could then opt to ask the person to go through some other verification step.

Pramana is one alternative to CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the box of squiggly characters a person must enter in order to prove they're human. Previously, it was hard for computers to solve CAPTCHAs, but that has changed in recent years. Also, it's believed that scammers in some instances have employed real people to solve CAPTCHAs.

Pramana's software is being actively used by a few businesses. ZCorum, which provides back-end services for small- to medium-size service providers and other ISPs, is one customer. Like other email service providers, hackers targeted the Alpharetta, Georgia, company's webmail services.

Those hackers would obtain a customer's log-in credentials for an email account and then relay spam through it, said Scott Helms, vice president of technology for ZCorum.

It used to be easy to detect the spam runs. A spammer would flood thousands of messages through one account, which would trigger alarms. But in recent years, spammers tended to have their bots abuse 10 or 20 accounts but send fewer messages per hour, which made them much harder to detect, Helms said.

"It's definitely a struggle for service providers of all sizes," Helms said.

ZCorum had been using the reCAPTCHA system from Carnegie Mellon University, but the puzzles frustrated end users. "The biggest thing that we really wanted was just to find a good way of protecting our systems and at the same time making the end-user experience a positive one," Helms said.

Three of ZCorum's 200 or so ISP customers are now using Pramana and are pleased with the results, Helms said. When a customer logs into webmail, that session information is sent to Pramana for analysis using a bit of JavaScript integrated into the webmail service. Also, some session information from the e-mail composition window is sent for analysis but not any content from the email.

When humans write emails, they make spelling mistakes, do back spaces and are pretty random. Bots, on the other hand, are methodic, which can give them away.

False positives - where Pramana mistakenly detects a bot - are less than a tenth of 1 percent, Helms said. Even if people are labeled a bot rather than human, the ISP can configure the system to ask a verification question that a bot wouldn't be able to handle, and users can continue their transaction, Helm said.

"I feel pretty good we are on the leading edge of solving this problem," Helms said. "I do think this [Pramana] will become a de facto standard for most ISPs."